To answer this question, let's go through each option to understand why it is correct or incorrect:
Option A) A session whose timeout period has been set to -1 will never expire.
This option is incorrect because a session whose timeout period has been set to -1 will never expire. By default, the timeout period for a session is defined by the servlet container and can be configured in the deployment descriptor (web.xml) or programmatically. A timeout period of -1 means that the session will never expire.
Option B) A session will become invalid as soon as the user closes all the browser windows.
This option is incorrect because a session does not become invalid as soon as the user closes all the browser windows. The session may still be active and available on the server even if the browser windows are closed. The session will only become invalid after a timeout period defined by the servlet container.
Option C) A session will become invalid after a timeout period defined by the servlet container.
This option is correct. A session will become invalid after a timeout period defined by the servlet container. The timeout period can be configured in the deployment descriptor (web.xml) or programmatically using the setMaxInactiveInterval() method of the HttpSession object. Once the timeout period is reached without any activity from the user, the session will be invalidated.
Option D) A session may be explicitly invalidated by calling HttpSession.invalidateSession().
This option is incorrect because there is no invalidateSession() method in the HttpSession class. To explicitly invalidate a session, you can use the invalidate() method of the HttpSession object. For example, session.invalidate() will invalidate the current session.
The correct answer is Option C. A session will become invalid after a timeout period defined by the servlet container.